In this post we will see how to configure a Wireless LAN Controller (WLC) and Cisco ISE Server (Cisco Identity Service Engine) so that the AAA server can authenticate management users on the controller. We will also see that how different management users can receive different privileges using Vendor-specific Attributes (VSAs) returned from the Cisco ISE RADIUS server.

To authenticate a user via RADIUS server, for controller login and management, we must add the user to the RADIUS database with the IETF RADIUS attribute Service-Type set to the appropriate value according to the user’s privileges.

In order to set read-write privileges for the user, set the Service-Type Attribute to Administrative.

In order to set read-only privileges for the user, set the Service-Type Attribute to NAS-Prompt.